Documentation
Sign In

API Keys

API keys authenticate server-to-server access to the Anchor CRM API. Keys belong to your organization, carry explicit scopes, and can be rotated or revoked at any time.

Key format

  • Keys look like anch_ followed by 64 hex characters (32 random bytes).
  • Keys are sent as a Bearer token: Authorization: Bearer anch_...
  • Only a hash and a short prefix are stored server-side — the full key is shown once at creation and cannot be retrieved later.

Creating and managing keys

Keys are managed at Settings → API Keys (/settings/api-keys). Creating and revoking keys requires an admin role; managers can view the key list.

When creating a key you can set:

  • Name — identify the integration the key is for.
  • Scopes — what the key may do; see Scopes.
  • Expiry — optional expiresInDays; expired keys are rejected automatically.
  • IP allowlist — optional list of allowed source IPs for the key.

Rotation and revocation

Rotate a key from the same settings page (or POST /api/api-keys/{id} with session auth): a new secret is issued and the old one stops working. Revocation is immediate. Rotate on a schedule, and immediately if you suspect a key has leaked.

Storage guidance

  • Store keys in a secret manager or environment variables — never in source control, client-side code, or logs.
  • Use one key per integration so a leak can be revoked without breaking everything else.
  • Scope each key to the minimum it needs; avoid * keys for third-party integrations.

Related